_____________________________________________ Securing Web Services Using XML Signature and XML Encryption _____________________________________________ RA. K. Saravanaguru1, George Abraham2, Krishnakumar Venkatasubramanian3, Kiransinh Borasia4 School of Computer Science and Engineering, VIT University, Vellore, India [email protected] [email protected] [email protected] [email protected] Abstract: This paper is aimed to evaluate the importance of XML Signature and XML Encryption for WS-Security. In today’s e-business scenario, organizations are investing a huge amount of their resources in Web Services. Web Service Transactions are done mainly through plain-text XML formats like SOAP and WSDL, hence hacking them is not a tedious task. XML Signature and XML Encryption ensure security to XML documents as well as retain the structure of the documents, thereby making it easy to implement them. These two methods are evaluated on the parameters of authentication, authorization, integration, confidentiality and non-repudiation. Keywords: XML Signature, Digital Signature, XML Encryption, Web Services, Security ______________________________________________________________________________ 1. Introduction XML Encryption followed by a comparative summarization of the various facilities offered by both. The concept of Web Services started in the late 1990’s and from then on has become the backbone of the IT industry. 2. Web Service Security Currently all business transactions rely on Web Services to achieve their desired goals. With the portability and Web Services, like common web applications, relies on the customizability of Extensible Markup Language (XML), it same HTTP transport protocol and the basic web has become the universal language for all these Web architecture. Hence it is susceptible to similar threats and Services (XML and Web Service – Unleashed; XML for vulnerabilities. Dummies). XML Web Services are a successful paradigm Web Service Security (WS-Security) is a flexible for many complex web-based applications (Sun and Li, and feature-rich extension to SOAP to apply security to web 2005). Web Services use XML as an interface or medium to services. It is a member of the WS-* family of web service define business functions and communicate with each other. specifications and was published by OASIS (Web Services Due to its wide usage, web service security is of Security – Wikipedia). growing demand day by day. For a successful business Some of the basic concepts that Web Services Security environment, it is a necessity that all the applications and are based upon are (Bertino, Carminati and Ferrari, 2001; communications must be secure and reliable. In the present Han, Park and Lim, 2011; Nordbotten, 2009; Singhal, world, Internet is the widely used medium for all business Winograd and Scarfone, 2007; Web Services Security – transactions and therefore, security is the main concern. In Wikipedia): this paper, we would be first giving an overview of Web Service Security followed by a description on the WS- 1 Identification and Authentication: Verifying the identity Security Architecture. Then we talk about XML Signature, of the user, process or device to allow access to a its types and syntax followed by an overview on XML resource or information system Encryption and its syntax. Next we have a detailed 2 Authorization: The permission to use a resource description of the existing work that has been done in the 3 Integrity: The property that the data has not been field of web service security using XML Signature and modified in any unauthorized manner while in storage, processing or transit 4 Non-repudiation: Non-denial by either sender or 3. XML Signature receiver of having sent or received the information, respectively Digital Signatures have become an important aspect of 5 Confidentiality: Preserving authorized restriction and electronic security because they can be used to ensure the information access integrity, authenticity and non-repudiation of data (Sun and 6 Privacy: Restricting access to subscriber or relying Li, 2005). XML Signature, is a W3C recommendation, party information in accordance with Federal Law and released on 12th February, 2002 (XML Digital Signature – organizational policy www.w3.org), in which the digital signatures are optimized for XML documents, for ensuring integrity of XML data 2.1 WS-Security Architecture during signing and/or verification process (Knap and Mlynkova, 2009). The practical benefits of XML Signature include Partial Signature, which allows signing of specific tags contained in XML data, and Multiple Signature, which allows signing multiple tags in XML document. The use of XML Signature can solve security problems, including falsification, spoofing, and repudiation. The XML Signature supports any type of digital signature encryption using all possible standard encryption algorithms. The XML Signature does not represent the primary data, but the encrypted data in the document. MD5, SHA-1 and RSA are some of the algorithms that are used to calculate the hash values of the data. The signature process is carried out on these hash values. The hash value is called as the “fingerprint” of the primary data and any small Fig. 1 WS-Security Architecture change in the primary data will lead to a large change in the (Singhal, Winograd and Scarfone, 2007) hash value due to “avalanche effect” (Yue-sheng, Meng-tao and Yong, 2010). After the hash value is signed, it is The open community that created Web Services developed a guaranteed that the integrity of the original document cannot number of security standards for Web Services. The above be changed (Yue-sheng, Meng-tao and Yong, 2010). reference model maps these standards to the various layers of the standard Web Service (Singhal, Winograd and 3.1 Types of XML Signature Scarfone, 2007): There are three basic types of XML Signatures (Bertino, 1 WS-Trust: Describes a framework for trust models that Carminati and Ferrari, 2001; Han, Park and Lim, 2011; enables Web Services to operate securely Nordbotten, 2009; Sun and Li, 2005): Enveloped Signature, 2 WS-Policy: Describes the capabilities and constraints Enveloping Signature and Detached Signature. of the security policies on intermediaries and endpoints In Enveloped XML Signature, as shown in figure 2, the 3 WS-Privacy: Describes a model for how Web Services XML Signature is included in the document itself and is the and requesters state privacy preferences and child element of the object being signed. The data being organizational privacy practice statements signed envelopes the <signature> and </signature> tags. In 4 WS-Security: Describes how to attach signatures and Enveloping XML Signature, as shown in figure 3, the encryption headers to SOAP messages document is included in the XML Signature as the child 5 WS-Federation: Describe how to manage and broker element of the XML Signature. The data being signed is the trust relationships in a heterogeneous federated enclosed in the <signature> and </signature> tags. In environment including support for federated identities Detached XML Signature, as shown in figure 4, the XML 6 WS-SecureConversation (Nordbotten, 2009): Describe Signature is a separate document (mainly non-XML) from how to manage and authenticate message exchanges the signed XML document. The location of the signed between parties including security context exchange document is given as a reference in the XML Signature. and establishing and deriving session keys There are two standards for XML Security – XML Signature and XML Encryption. For our discussion, we will be concentrating mainly on XML Signature for XML Security, explaining the basic concept and its various implementation techniques and finally summarizing with a comparison with XML Encryption. Fig. 2 Enveloped XML Signature Fig. 3 Enveloping XML Signature Fig. 5 XML Signature Structure (Bertino, Carminati and Ferrari, 2001; XML Signature – Fig. 4 Detached XML Signature Wikipedia; Yue-sheng, Bao-jian and Wu, 2009) 3.2 XML Signature Structure 4. Brief Overview of XML Encryption XML digital signatures are represented by the Signature Encryption is the method of conversion of the sensitive element which has the following structure, where "?" document into a form that is not understandable to denotes zero or one occurrence; "+" denotes one or more unauthorized users. Authorized users have to decrypt the occurrences; and "*" denotes zero or more occurrences. ciphered text in order to understand the content. It is a very (XML Digital Signature – Recommendation – www.w3.org; old technique to achieve data security. There are various Yue-sheng, Bao-jian and Wu, 2009) standard encryption algorithms available, like symmetric key encryption and asymmetric (public) key encryption, and The Signature element contains three main information these can also be applied to the normal XML documents. (Bertino, Carminati and Ferrari, 2001; Han, Park and Lim, This process is called as XML Encryption. XML Encryption 2011; Knap and Mlynkova, 2009; Nordbootten, 2009; XML is a W3C Recommendation released on 10th December, Signature – Wikipedia; Yue-sheng, Bao-jian and Wu, 2002. 2009): 4.1 XML Encryption Syntax 1 SignedInfo This contains information about the signed collection of XML Encryption is represented by the EncryptedData XML fragments. This contains or references the signed data (XML Encryption – Wikipedia; XML Encryption – and specifies what algorithms are used. www.w3.org) element